The State of Texas and StateRAMP

Learn more about the partnership between the State of Texas and StateRAMP, and how it benefits you.

About the Program

Why StateRAMP

Protecting our State’s most sensitive and critical information is a team sport in Texas. While we have cybersecurity teams working non-stop to protect and defend our networks and systems from bad actors, the threats are always changing, and we must work to stay ahead by strengthening those networks and systems.

One way we can do this is by ensuring that the vendors that touch or hold any of our critical data are meeting minimum cybersecurity standards. This is where StateRAMP comes in.

StateRAMP has partnered with Texas to assist providers in meeting the statutory requirements of TX-RAMP, while also affording them the benefit of transferable credentials through standardized cybersecurity verification. This allows providers to verify once to serve many.

StateRAMP (State Risk and Authorization Management Program) has developed a roadmap for vendors to follow to demonstrate through an externally verifiable process that they are meeting national cybersecurity standards.

Learn more about StateRAMP on stateramp.org.

Texas Department of Information Resources (DIR)

The How

DIR and StateRAMP are partnering to help providers meet the statutory requirements of TX-RAMP. DIR has updated TX-RAMP’s cybersecurity procedures and policy language to allow both the StateRAMP Progressing Security Snapshot Program, as well as StateRAMP authorization, to meet TX-RAMP requirements for vendors that touch or hold our data.

The Texas Department of Information Resources (DIR) delivers technology solutions to state and local government entities. Specifically, DIR is here to:

Offer purchasing support and policy insights so organizations across all levels of Texas government can find and securely implement modern technology
Set forth strategic direction for IT statewide through policies and guidance
Analyze cybersecurity risks and solutions
Empower state and local government entities with reliable and secure technology
Assist with technology procurement/purchasing
Collaborate with technology vendors
Create a dynamic online community for knowledge sharing

The approximately 250 professionals who work at DIR are driven by a sincere desire to make governmental technology more secure, cost-effective, and forward-looking.

For more information about DIR, please visit: Home | Texas Department of Information Resources

Founded at the beginning of 2020, StateRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.

As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. StateRAMP is comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.

No. For every product your organization enrolls in StateRAMP’s Progressing Security Snapshot Program, they will satisfy the requirements for TX-RAMP Provisional Certification. Additionally, this program affords you Provisional Certification without the 18-month time limitation. Once your product has achieved TX-RAMP Provisional via the Progressing Security Snapshot program, you should begin working towards a StateRAMP Ready or Authorized status.

* Please note: While you are able to use a single Security Snapshot to qualify for limited TX-RAMP Provisional Certification, using this method will limit you to 18 months of TX-RAMP Provisional status. After 18 months, your product MUST have achieved TX-RAMP certification, StateRAMP Ready, or StateRAMP Authorized.

While StateRAMP provides reciprocity with TX-RAMP, compliance with TX-RAMP does not afford you a StateRAMP security status.

To participate in the StateRAMP Progressing Security Snapshot Program, providers need to become a member of StateRAMP and submit a Progressing Security Snapshot Request. Once the form is submitted and payment is fulfilled, providers will receive further instructions from the security team at the Program Management Office on how to schedule the Security Snapshot Review call.

We strive to provide Snapshot scores within three weeks of receiving payment. If you have time constraints due to solicitations, please indicate them on the StateRAMP Security Snapshot request form. Our security team at the Program Management Office will make every effort to accommodate your needs.

After the initial call, you will receive a Snapshot score. Additionally, you will receive quarterly updated Snapshots and have access to monthly one-hour consultative calls with our security team. These measures ensure that you are making progress toward meeting the requirements of a StateRAMP Ready Review.

The updated StateRAMP fee schedule outlines the costs for the StateRAMP Security Snapshot.

No. The TX-RAMP Provisional certification requires providers to catalog the available security artifacts and assurances.

However, to qualify for TX-RAMP Provisional Status, providers must provision access for DIR and other appropriate Texas agencies to view Snapshots and Progressing Notes.

No. Every Friday StateRAMP sends a report directly to DIR listing all products enrolled in the Progressing Security Snapshot Program.

StateRAMP has a weekly automated sync, and every Friday afternoon, StateRAMP Ready and Authorized products appear on the TX-RAMP list.

To learn more about how to obtain a StateRAMP Ready Status, visit our Getting Started with StateRAMP Guide for Service Providers. This document provides an overview of the StateRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the StateRAMP verification process

Continuous monitoring is the monthly security status check of the provider. It begins once a product achieves a StateRAMP milestone status of Ready, Provisional, or Authorized. Continuous monitoring ensures a service provider’s solution is progressing with its security requirements and maintaining a secure state of system. It gives insights into a solution’s vulnerabilities, and monthly checks allow service providers to close out items and align with StateRAMP requirements. Continuous monitoring helps identify areas of risk so service providers can take action to protect the system as soon as possible.

Download StateRAMP’s Continuous Monitoring Guide.

Please find a comparison to SOC2 v. StateRAMP below. A comparison of FedRAMP to StateRAMP can be found on the StateRAMP.org site. More framework mappings will be available with the adoption of NIST 800-53 (rev. 5).

If you have additional questions regarding StateRAMP, please visit: Frequently Asked Questions – StateRAMP

If you have additional questions about TX-RAMP please visit: Frequently Asked Questions – TX-RAMP

For questions or more information about StateRAMP, please contact: info@stateramp.org

If you have any questions about TX-RAMP, please contact: tx-ramp@dir.texas.gov

Announcements

Check out the recent webinar between StateRAMP and TX-RAMP below!

Overview of TX-RAMP

TX-RAMP stands for Texas Risk and Authorization Management Program. It is a program of the Texas Department of Information Resources (DIR) that provides a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.

TX-RAMP has two assessment and certification levels: Level 1 for public/non-confidential information or low impact systems, and Level 2 for confidential/regulated data in moderate or high impact systems. Cloud computing services that do not create, process, or store confidential state-controlled data, or connect with agency systems or networks that create, process, or store confidential state-controlled data are not required to be TX-RAMP certified.

For more information on the TX-RAMP program and its requirements, download the TX-RAMP Program Manual below.

TX-RAMP Certified Products

You can find more information about TX-RAMP Certified Products and the differences between provisional and full certification at the link below.

TX-RAMP Resources

For additional TX-RAMP resources, click below to go to the TX-RAMP Resource Library.

StateRAMP Overall Statement

StateRAMP is accepted by Texas and other states. Click below to see a list of StateRAMP’s participating governments.

State and Local Government

Contact us and schedule a conversation to get started. For more information about how StateRAMP works with governments, visit our Governments page.

Providers

For many service providers, meeting security standards and supplying documentation to governments can be time consuming and costly. StateRAMP allows service providers to leverage their verified IaaS, PaaS, and SaaS solutions across multiple government contracts. Learn more about the benefits and process for service providers, or contact our team to get started.